Information technology, applied.

Heartbleed, OpenSSL, and Open Source

Heartbleed is a black eye to the open source movement. I don’t agree, however, with those who claim that this bug discredits the open source movement. Many people have unreasonable expectations of open source software. Open source software represents a wonderful example of human generosity. Writing software is extremely difficult and time–consuming. Sharing that work with others without asking for anything in return is a noble act. It resembles scientists sharing their findings for the advancement of science. Everyone benefits.

But just like not all scientific findings prove correct, not all open source software is high quality. The famous claim that “given enough eyeballs, all bugs are shallow” has never been true. Just because the source code for a project is freely available does not guarantee that it will be high quality. The only thing that guarantees quality is good coding practice. OpenSSL illustrates this point.

Heartbleed resulted from poor coding practices. Over time software accumulates ‘cruft’ in the form of obsolete code, dead code, unused features, and so on. Keeping it in good shape requires constant maintenance (‘refactoring’ in programming jargon). This is unglamorous and tedious work so it is often left undone. Such was apparently the case with OpenSSL.

This also applies to many other open source projects so it is a bit unfair to single out OpenSSL. OpenSSL gained notoriety because it plays such a prominent role in the web. The public tends to think of open source is immune from this kind of problem and was shocked to learn otherwise. It is a problem of expectations.

Unfortunately, I’ve seen many in the open source community respond to Heartbleed by blaming companies for not supporting OpenSSL financially. I guess the irony of this is lost on them. “Why aren’t people paying for free software?!?” Of course, it is good when companies support key projects like this but the problem with OpenSSL was quality control. Plus, this complaint implies that open source developers will only properly maintain their code when paid. This is not true. Many open source projects maintain their code well without external funding.

I hope instead that the open source community will take this opportunity to do some much needed self-assessment. Open source does a lot of things very well and it is a crucial part of the global software ecosystem. But there are things open source does not do so well. For example, open source documentation is notoriously and near universally bad–a topic I’ve written about many times before. Quality software requires things such as good documentation, comprehensive test suites, and ruthless refactoring and these are things developers often don’t want to do. Therefore open source projects have to pay special attention to these areas. Heatbleed is an example of when they don’t.